Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft patches flaws in IE, Defender

Microsoft Corp. yesterday issued out-of-band updates for a pair of security vulnerabilities, one in Internet Explorer and one in its Defender anti-malware software for Windows.

Discovered by Clément Lecigne of Google’s Threat Analysis Group and designated CVE-2019-1367, the IE bug is a memory corruption vulnerability that can be exploited for remote code execution in the context of the current user. If the current user has admin rights, then the attacker would have the power to install malicious programs, view and manipulate data and create new accounts.

Such an attack could be executed by sending potential victims emails that trick them into visiting a specially crafted website, viewed with IE.

Fixes for IE 11, 10 and 9 across various platforms have been released for downloading through security updates.

Meanwhile, the Microsoft Defender vulnerability, CVE-2019-1255, is a denial of service condition caused by mishandling of files." An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries," warns a vulnerability advisory from the software giant. However, "To exploit the vulnerability, an attacker would first require execution on the victim system."

In addition to Microsoft Defender itself, affected products include Microsoft System Center Endpoint Protection, 2012 Endpoint Protection and 2012 R2 Endpoint Protection, as well as Microsoft Forefront Endpoint Protection 2010 and Microsoft Security Essentials. Reported by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab, the vulnerability was fixed in version 1.1.16400.2 of the Microsoft Malware Protection Engine.

Generally speaking, patching this vulnerability should not require user action, as Microsoft pushed it out to users who are configured to receive automatic updates. Users are encouraged to verify that they are receiving automated software updates.

The Defender update followed a series of reports last week that users were complaining on various tech support sites that Defender was performing incomplete scans that lasted only a few seconds.





Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

Lincoln Project loses $35K following BEC attack

U.S. political action committee Lincoln Project, which was formed in 2019 to counter former President Donald Trump's re-election bid, has been impacted by a business email compromise attack in February that resulted in the exfiltration of $35,000, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.